WO2010098534A1 - Method for user terminal authentication of interface server and interface server and user terminal thereof - Google Patents

Method for user terminal authentication of interface server and interface server and user terminal thereof Download PDF

Info

Publication number
WO2010098534A1
WO2010098534A1 PCT/KR2009/007086 KR2009007086W WO2010098534A1 WO 2010098534 A1 WO2010098534 A1 WO 2010098534A1 KR 2009007086 W KR2009007086 W KR 2009007086W WO 2010098534 A1 WO2010098534 A1 WO 2010098534A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user terminal
application service
server
service providing
Prior art date
Application number
PCT/KR2009/007086
Other languages
French (fr)
Other versions
WO2010098534A4 (en
Inventor
Soo-Jin Kim
Duc-Key Lee
Jung-Hee Bang
Original Assignee
Kt Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020090058167A external-priority patent/KR101094577B1/en
Application filed by Kt Corporation filed Critical Kt Corporation
Priority to CA2753846A priority Critical patent/CA2753846C/en
Priority to US13/203,664 priority patent/US8601560B2/en
Priority to RU2011139308/08A priority patent/RU2491771C2/en
Publication of WO2010098534A1 publication Critical patent/WO2010098534A1/en
Publication of WO2010098534A4 publication Critical patent/WO2010098534A4/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication

Definitions

  • the present invention relates to a method for authenticating a user terminal; and more particularly, to a method for authenticating a user terminal in an interface server, and an interface server and a user terminal using the same.
  • a user terminal may access one of networks such as a Wireless Local Area Network (WLAN) network, a Code Division Multiple Access (CDMA) network, and a World Interoperability for Microwave Access (WiMAX) network.
  • WLAN Wireless Local Area Network
  • CDMA Code Division Multiple Access
  • WiMAX World Interoperability for Microwave Access
  • the WiMAX network provides a communication service that enables a user to access the Internet at a high speed and to receive data or multimedia contents not only in an indoor place but also at the outside and even during travelling using various types of user terminals such as a personal computer, a notebook computer, a personal digital assistant (PDA), a portable multimedia player (PMP), a handset, and a smart phone.
  • a WiMAX service enables a user to use the Internet even in the outdoor place such as streets, parks, and vehicles in travelling unlike a high speed internet service that enables a user to use the Internet only at an indoor place with an internet cable is installed such as home, a school, and an office.
  • a WiMAX forum has been established by communication service providers, communication equipments manufacturers, and semiconductor manufacturers in order to secure comparability among equipment employing a WiMAX technology.
  • the WiMAX forum uses an Institute of Electrical and Electronics Engineers (IEEE) standard 802.16 of a wide band wireless access technology as a fundamental technology.
  • IEEE Institute of Electrical and Electronics Engineers
  • the WiMAX forum has been trying to advance a related technology from a stationary standard 802.16d to a mobile standard 802.16e.
  • the WiMAX network is a wireless metropolitan area network (WMAN) technology based on IEEE 802.16 standard.
  • the WiMAX network includes an access service network (ASN) and a connectivity service network (CSN).
  • the access service network (ASN) includes a user terminal such as a mobile station (MS) which is a client, a base station (BS), and an access service network gateway (ASN-GW).
  • the connectivity service network (CSN) includes logical entities such as a policy function (PF) entity, an authentication authorization and accounting (AAA) server, and an application function (AF) entity.
  • PF policy function
  • AAA authentication authorization and accounting
  • AF application function
  • the mobile station is referred to as a WiMAX terminal that accesses the ASN through a wireless link.
  • An IEEE 802.16D/E standard WMAN access technology is mainly used at a wireless side of a WiMAX network.
  • the ASN guarantees establishing connection between a WiMAX terminal and a
  • the ASN manages wireless resources, finds a network, selects an optimal a network service provider (NSP) for a WiMAX subscriber, operates as a proxy server for controlling authentication authorization and accounting (AAA) of a WiMAX subscriber in a proxy mobile intern protocol (MIP), and accesses an application through a WiMAX terminal.
  • NSP network service provider
  • AAA authentication authorization and accounting
  • the CSN allocates an Internet protocol (IP) address for a session of a WiMAX subscriber, provides access for Internet, operates as an AAA proxy or an AAA server, performs a policy and controls access based on the subscribing data of a subscriber, supports establishing a tunnel between the ASN and the CSN, generates an invoice for a WiMAX subscriber, supports a policy of a WiMAX service through an operator, supports forming a loaming tunnel between CSNs, supports mobility between ASNs, provides a location based service, provides an end-to-end service, and supports various WiMAX services such as multimedia broadcast service and a multimedia broadcast multicast service (MBMS).
  • IP Internet protocol
  • MBMS multimedia broadcast multicast service
  • FIG. 1 is a diagram illustrating a network system according to the related art.
  • the network system includes a user terminal 110, a communication system 120, an Internet network 130, and an application service provider 140.
  • the user terminal 110 is any devices that can access a network including a communication system.
  • the user terminal 110 may be a notebook computer, a personal computer, a personal digital assistant (PDA), a hand set, or a personal multimedia player (PMP).
  • PDA personal digital assistant
  • PMP personal multimedia player
  • the communication system 120 includes a base station 121 or a radio access station
  • the communication system 120 may further include a location information server (LIS), a device capability server, a user profile server, a quality of service server (QoS), and a billing server.
  • LIS location information server
  • QoS quality of service server
  • the application service provider 140 has servers for providing a predetermined service to the user terminal 110.
  • the application service provider 140 may include an Internet Protocol Television (IPTV) server for providing an Internet based television programs to a user terminal 110 accessing the Internet network 130, a contents server for providing music/video contents in real time, a search engine server for providing a result of a search inquiry in response to a request of the user terminal 110, an advertisement server for providing advertisement, and a service server 139 for providing services.
  • IPTV Internet Protocol Television
  • the network system according to the related art performs following operations when a user of a user terminal 110 requests a map service from the application service provider 140.
  • the user of the user terminal 110 is located at an area A.
  • the user terminal 110 requests a map service to an application service provider 140 through a communication system 120 and an internet network 130.
  • the application service provider 140 provides a web page (or a web site) as the map service to the user terminal 110.
  • the application service provider 140 provides an initial map image of a predetermined area which is initially selected in a map service server regardless of a current location of a user terminal 110.
  • the application service provider 140 provides a map image of a corresponding area to a user.
  • the application service provider 140 provides a map image of a current location of a user terminal when the user terminal 110 access a server of the application service provider 140 providing the map service, the application service provider can provide a personalized map service to a user. In this way, the user may be provided with a better service. In order to provide such a personalized service, the application service provider 140 needs personal information. Therefore, there has been a demand for a method of receiving personal information such as location information of the user terminal 110 when the application service provider 140 provides a personalized service to the user terminal 110.
  • the application service provider 140 requests the personal information such as location information of the user terminal 110 to the communication system 120 after accessing the communication system 120, it is required to establish an interface and to perform mutual authentication among the application service provider 140, the user terminal 110, and the communication system 120.
  • An embodiment of the present invention is directed to providing an interface for enabling an application service provider to use unique information of a predetermined network by accessing a communication system that manages the predetermined network.
  • An embodiment of the present invention is directed to providing a method for mutual authentication among an application service provider, a user terminal, and a communication system operating a predetermined network.
  • a user terminal authentication method of an interface server including: receiving authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server; authenticating the user terminal according to the authenticating request information using an authentication method selected by the interface server or a user of the user terminal; and transmitting authentication response information including an authentication result of performing the authentication method to the application service providing server, wherein the interface server provides an interface for a network to the application service providing server.
  • an interface server including: a receiver configured to receive authentication request information from an application service providing server in order to request the interface server to authenticate a user terminal that receives an application service provided from the application service providing server; an authentication controller configured to authenticate the user terminal according to the authentication request information using an authentication method selected by the interface server or a user of the user terminal; and a transmitter configured to transmit authentication response information including an authentication result of performing the authentication method to the application service providing server, wherein the interface server provides an interface for a network to the application service providing server.
  • a method for authenticating a user terminal in an interface server including: receiving authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server; transmitting the authentication request information to the interface server; receiving authentication response information including an authentication result of performing an authentication method according to the authentication request information in the interface server and the authentication method is selected by the interface server or a user of the user terminal; and transmitting the received authentication response information to the application service providing server, wherein the interface server is a server providing an interface for a network to the application service providing server.
  • a user terminal including: a receiver configured to receive authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal that receives an application service provided from the application service providing server; and a transmitter configured to transmit the authentication request information to the interface server, wherein the receiver receives authentication response information including an authentication result of performing an authentication method according to the authentication request information in the interface server and the authentication method is selected by the interface server or a user of the user terminal, wherein the transmitter transmits the received authentication response information to the application service providing server, and wherein the interface server provides an interface for a network to the application service providing server.
  • a computer readable recording medium storing a method for authenticating a user terminal in an interface server, the method includes: receiving authentication request information to request authenticating a user terminal that receives an application service from an application service providing server; authenticating the user terminal according to the authenticating request information using an authentication method selected by the interface server or a user of the user terminal; and transmitting authentication response information including an authentication result of performing the authentication method to the application service providing server, wherein the interface server provides an interface for a network to the application service providing server.
  • a computer readable recording medium storing a method for authenticating a user terminal in an interface server, the method includes: receiving authentication request information from an application service providing server to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server; transmitting the authentication request information to the interface server; receiving authentication response information including an authentication result of performing an authentication method selected by the interface server or a user of the user terminal according to the authentication request information in the interface server; and transmitting the received authentication response information to the application service providing server, wherein the interface server is a server providing an interface for a network to the application service providing server.
  • An interface server provides an interface that enables an application service provider to use information of a predetermined network.
  • an authentications method performs mutually authentication among an application service provider, a user terminal, and a communication system managing a predetermined network.
  • FIG. 1 is a diagram illustrating a network system according to the related art.
  • FIG. 2 is a diagram illustrating authentication of an application service provider.
  • FIG. 3 is a diagram illustrating authentication of a user terminal.
  • FIG. 4 is a diagram illustrating a method of authenticating a user terminal in an interface server in accordance with an embodiment of the present invention.
  • Fig. 5 is a diagram illustrating an interface server performing authentication of a user terminal in accordance with an embodiment of the present invention.
  • Fig. 6 is a diagram illustrating an authentication procedure performed in a user terminal in a method for authenticating the user terminal in the interface server.
  • Fig. 7 is a diagram illustrating a user terminal as related in a method for authenticating the user terminal in the interface server in accordance with an embodiment of the present invention.
  • Fig. 4 is a diagram illustrating a method of authenticating a user terminal in an interface server in accordance with an embodiment of the present invention.
  • Fig. 5 is a diagram illustrating an interface server performing authentication of a user terminal in accordance with an embodiment of the present invention.
  • Fig. 6 is a diagram illustrating an authentication procedure performed in a user terminal in a method for authenticating the user terminal in the interface server.
  • FIG. 8 is a diagram illustrating a service flow of a method for authenticating a user terminal in an interface server in accordance with an embodiment of the present invention.
  • Fig. 9 is a diagram illustrating a system for authenticating a user terminal in an interface server in accordance with an embodiment of the present invention. [43] Best Mode for Carrying out the Invention
  • block diagrams of the present invention should be understood to show a conceptual viewpoint of an exemplary circuit that embodies the principles of the present invention.
  • all the flowcharts, state conversion diagrams, pseudo codes and the like can be expressed substantially in a computer-readable media, and whether or not a computer or a processor is described distinctively, they should be understood to express various processes operated by a computer or a processor.
  • Functions of various devices illustrated in the drawings including a functional block expressed as a processor or a similar concept can be provided not only by using hardware dedicated to the functions, but also by using hardware capable of running proper software for the functions.
  • a function When a function is provided by a processor, the function may be provided by a single dedicated processor, single shared processor, or a plurality of individual processors, part of which can be shared.
  • an element expressed as a means for performing a function described in the detailed description is intended to include all methods for performing the function including all formats of software, such as combinations of circuits for performing the intended function, firmware/microcode and the like.
  • the present invention relates to an interface that enables an application service provider to transmit and receive information by accessing a predetermined network using a communication system managing the predetermined network and a method for mutual authentication among an application service provider, a user terminal, and a communication system managing a predetermined network.
  • an interface server is included in a communication system managing a predetermined network.
  • the interface server provides an interface for smooth data exchange between an application service provider and a predetermined network.
  • the interface server must protect a network service provider (NSP) from security attack. Therefore, it is necessary to authenticate the network service provider (NSP) and the application service provider.
  • NSP network service provider
  • the interface server ensures security and integrity of personal information and non-repudiation for exchanged message.
  • FIG. 2 is a diagram illustrating authentication of an application service provider.
  • an authentication server 210 exchanges data with each other in order to perform mutual authentication.
  • an interface server 220 exchanges data with each other in order to perform mutual authentication.
  • an application service providing server 230 exchanges data with each other in order to perform mutual authentication.
  • the authentication server 210 performs various types of authentication.
  • the authentication server 210 may be an authentication, authorization, and accounting (AAA) server.
  • AAA authentication, authorization, and accounting
  • the authentication server 210 is described as performing authentication of the application service providing server 230.
  • the interface server 220 provides an interface environment for enabling the application service providing server 230 to access a network and to exchange data through the network.
  • the interface server 220 may provide information about capability of the network and information about a user terminal to the application service providing server 230.
  • the application service providing server 230 provides a predetermined service to the user terminal.
  • the predetermined service may include an internet based service.
  • the application service providing server 230 is realized by an application service provider (ASP).
  • the application service providing server 230 may provide various contents and advertisements.
  • the application service provider includes an Internet application service provider (iASP).
  • the Internet application service provider may provide contents or application programs collected by Public Internet such as Yahoo, Google, or E-bay.
  • the Internet application service provider may have additional relation with a content provider (CP) or an Internet advertiser (IA).
  • CP content provider
  • IA Internet advertiser
  • the application service provider is authenticated by a network service provider.
  • the application service providing server 230 transmits authentication request information to the interface server 220 at step S241.
  • the authentication request information may include an authorization token.
  • the network service provider uses the authorization token to determine which application service provider has a right of authentication request.
  • the authorization token includes a certification with signature of an application service provider.
  • the interface server 220 authenticates the application service providing server 230 with the authentication server 210 using the authentication request information received from the application service providing server 230 at step S242.
  • the authorization token may be used to perform such an authentication process.
  • the interface server 220 transmits authentication response information including authentication result to the application service providing server 230 at step S243.
  • FIG. 3 is a diagram illustrating authentication of a user terminal.
  • an interface server 310, a user terminal 320, and an application service providing server 330 exchange data to each other for authenticating a user terminal.
  • the interface server 310 provides an interface environment that enables the application service providing server 330 to access a network and to exchange data through the network.
  • the interface server 310 may provide information about network capability and a user terminal to the application service providing server 330.
  • the user terminal 320 may be any device capable of accessing a network.
  • the user terminal 320 may be a personal computer, a notebook computer, a personal digital assistant (PDA), a portable multimedia player (PMP), a handset, and a smart phone.
  • PDA personal digital assistant
  • PMP portable multimedia player
  • the application service providing server 330 provides a predetermined service including an Internet based service.
  • the application service providing server 330 is a server embodied by an application service provider.
  • the application service providing server 230 may provide various contents and advertisements.
  • the application service provider (ASP) includes an Internet application service provider (iASP).
  • the Internet application service provider may provide contents or application programs collected by Public Internet such as Yahoo, Google, or E-bay.
  • the Interne application service provider may have additional relation with a content provider (CP) or an Internet advertiser (IA).
  • CP content provider
  • IA Internet advertiser
  • the application service providing server 330 transmits authentication request in- formation to the interface server 310.
  • the authentication request information may pass through the user terminal 320 to the interface server 310. That is, the application service providing server 330 transmits the authentication request information to the user terminal 320 at step S341 and the user terminal 320 transmits the received authentication information to the interface server 310.
  • the user terminal 320 may use a hypertext transfer protocol (HTTP) redirect method to transmit the received authentication request information to the interface server 310.
  • HTTP hypertext transfer protocol
  • the authentication information includes information for requesting authentication of the user terminal 320 that receives an application service of the application service providing server 330 to the interface server 310.
  • the application service indicates a service provided by the application service providing server 330.
  • the application service is not limited to an application program.
  • the authentication request information includes authentication request information for detecting identity of a user terminal from an application service providing server.
  • the authentication request information may include information about a desired authentication method of the application service providing server 330.
  • an authentication method of the interface server 310 is not limited thereto.
  • the authentication request information includes information about the desired authentication method of the application service providing server 330, it may be ignored.
  • the interface server 310 performs authentication of the user terminal 320 using a predetermined authentication method based on the received authentication request information at step S343.
  • the predetermined authentication method includes an authentication method selected by the interface server 310 or an authentication method selected by the user of the user terminal 320.
  • the authentication method selected by the interface server 310 may be decided based on a policy of a network service provider (NSP) who provides a network.
  • NSP network service provider
  • the authentication method set by the user of the user terminal 320 may be selected based on subscription of the user.
  • the authentication method may be an IP address based authentication method, a certification based authentication method, or a user input based authentication method.
  • IP address based authentication method a certification based authentication method
  • user input based authentication method a user input based authentication method
  • the IP address based authentication method controls the interface server 310 to refer an IP address of the user terminal 320 to authenticate the user terminal 320.
  • an additional authentication server such as an AAA server may be used.
  • the IP address based authentication method is very convenience.
  • the IP address based authentication method has a shortcoming of weak security.
  • the certification based authentication method uses a certification of a user terminal side to authenticate the user terminal.
  • the certification based authentication method has an advantage of high security. However, it is not convenient to use and it is also difficult to embody.
  • the certification may include a certification for a network of a user terminal side.
  • the user input based authentication method authenticates a user terminal based on information input from a user of the user terminal.
  • the user input information may include an ID of a user or a user terminal and a corresponding password.
  • an ID for corresponding authentication one of a permanent ID and a temporary ID is decided according to a policy of a network service provider (NSP).
  • NSP network service provider
  • the authentication request information received from the application service providing server 330 is redirected to an ID/PASSWORD input based authentication apparatus using a Hypertext Transfer Protocol (HTTP) redirect method for ID/PASSWORD input based authentication.
  • the ID/PASSWORD input based apparatus may include a web portal supporting ID/PASSWORD authentication.
  • the interface server 310 After performing the authentication based on the authentication request information, the interface server 310 transmits authentication response information including the authentication result to the application service providing server 330.
  • the authentication response information is transmitted to the application service providing server 330 passing through the user terminal 320. That is, the interface server 310 transmit the authentication response information to the user terminal 320 at step S344 and the user terminal 320 transmits the received authentication response information to the application service providing server 330 at step S345.
  • the user terminal 320 may use a Hypertext transfer protocol (HTTP) redirect method for transmitting the received authentication response information to the service providing server 330.
  • HTTP Hypertext transfer protocol
  • the authentication response information may include identity information and information about authentication result about a network of a user terminal. If not, the authentication response information may include information about authentication failure.
  • the SAML stands for a security assertions markup language.
  • the SAML is a standard for an extensible markup language for exchanging business security information on Internet.
  • the SAML is a common language for security service mutual operation between different systems and describing XML information. Lately, security information has been required for various businesses on Internet because Internet business has been expanded such as B2C and B2B and a business starting site becomes different from a business ending site. Accordingly, the SAML is an language providing a single sign-on (SSO) function that enables an open solution having interoperability and comparability with various protocols and easy resource access.
  • SSO single sign-on
  • syntax ⁇ AuthnRequest> is used as authentication request in the SAML.
  • the authentication request information may include an ASP identifier of an application service providing server, network ID information of a user terminal (User/MS USI ID to authenticate), a permanent ID and a temporary ID indication information (L-ID/S-ID request indication), internal application service provider signature (Signature of iASP).
  • Table 1 shows the information included in the authentication request information in detail.
  • Table 2 shows a permanent ID and a temporary ID in detail. [83] Table 2 [Table 2] [Table ]
  • the authentication request information may include information by syntax ⁇ AuthzDecisionStatement>.
  • Table 3 shows information of the syntax ⁇ AuthzDecisionStatement>.
  • the authentication response information may include information by syntax ⁇ AuthnStatement>.
  • Table 4 shows information of the syntax ⁇ AuthnStatement> in detail.
  • the authentication response information may include information by syntax ⁇ AuthzDecisionStatement>.
  • Table 5 shows the information of the syntax ⁇ AuthzDecisionStatement> in detail.
  • USI denotes a universal service interface.
  • a USI system server may be an interface server.
  • the interface server authenticates the user terminal without interacting with the application service provider. Therefore, it is possible to overcome problems caused because the application service provide does not recognize available authentication methods between the user terminal and the interface server.
  • an interface server uses an authentication method decided by an application service provider.
  • an interface server system or a user terminal may be not capable of using such an authentication method. It causes unnecessary new authentication procedure or limiting a user to use a service due to authentication failure. Therefore, it is not effective method of using an authentication method decided by the application service provider.
  • the authentication method according to the present embodiment enables an interface server to select an authentication method without intervention of an application service provider or enables a user to select an authentication method. Accordingly, although the interface server system cannot accept an authentication method selected by the application service provider, authentication is not failed.
  • information about a user selected authentication method may be shared with the interface server system.
  • the authentication method according to the present embodiment includes a method of authentication based a user ID and password, the authentication method according to the present embodiment is convenient to a user and can be simply embodied while securing proper security.
  • FIG. 4 is a diagram illustrating a method for authentication of a user terminal in an interface server in accordance with an embodiment of the present invention.
  • authentication request information is received from an application service providing server in order to request the interface server to authenticate a user terminal that receives an application service from the application service providing server.
  • an authentication method to authenticate the user terminal is selected according to the received authentication request information.
  • an authentication method is selected by the interface server or by a user of the user terminal and the user terminal is authenticated using the selected authentication method.
  • the authentication method may be selected by logical algorithm.
  • authentication response information including authentication result is transmitted to the application service providing server.
  • the interface server is a server providing an interface of a network to the application service providing server.
  • the authentication request information and the authentication response information may be received or transmitted through the user terminal.
  • a hypertext transfer protocol (HTTP) redirect method may be used.
  • the authentication method may be selected by a police of a service provider providing a network or by the selection of a user of the user terminal.
  • the authentication method may be one of an IP address based authentication method, a certification based authentication method, and a user input based authentication method.
  • the authentication method may include a user terminal ID/
  • authentication request information may be redirected to an ID/PASSWORD information input based authentication apparatus using a HTTP redirect method.
  • the authentication response information may include the authentication result and network identification information of the user terminal.
  • the network includes a WiMAX network.
  • the authentication request information may be generated in an application service providing server if the user terminal requests accessing the application service providing server.
  • the user terminal may want access the application service providing server to request a Quality of Service (QoS).
  • QoS Quality of Service
  • FIG. 5 is a diagram illustrating an interface server performing authentication of a user terminal in accordance with an embodiment of the present invention.
  • the interface server 501 includes a receiver 503, an authentication controller 507, and a transmitter 505.
  • the receiver 503 receives authentication request information from the application service providing server to request authenticating a user terminal receiving an application service provided from the application service providing server.
  • the authentication controller 507 authenticates the user terminal according to the received authentication request information using an authentication method set by the interface server 501 or the user of the user terminal.
  • the transmitter 505 transmits authentication response information including an authentication result to the application service providing server.
  • the interface server 501 is a server providing an interface to the application service providing server for a network.
  • the authentication request information and the authentication response information may be received or transmitted through the user terminal.
  • a hypertext transfer protocol (HTTP) redirect method may be used.
  • the authentication method may be selected according to a police of a service provider providing a network or by the user of the user terminal.
  • the authentication method may be one of an IP address based authentication method, a certification based authentication method, and a user input based authentication method.
  • the authentication method may include a user terminal ID/
  • the authentication request information may be redirected to an ID/PASSWORD based authentication apparatus using a HTTP redirect method.
  • the authentication response information may include the authentication result and network identification information of the user terminal.
  • the network includes a WiMAX network.
  • the authentication request information may be generated in an application service providing server if the user terminal requests accessing the application service providing server.
  • the user terminal may want access the application service providing server to request a Quality of Service (QoS).
  • QoS Quality of Service
  • FIG. 6 is a diagram illustrating an authentication process performed in a user terminal in a method for authentication of a user terminal in an interface server according to an embodiment of the present invention.
  • a user terminal receives authentication request information from an application service providing server in order to request the interface seerver to authenticate the user terminal that receives an application service provided from the application service providing server.
  • the user terminal transmits the received authentication request information to the interface server at step S603.
  • the interface server performs an authentication process at step S605.
  • the user terminal receives authentication response information which includes an authentication result of performing an authentication method selected by the interface server or the user of the user terminal according to the authentication request information in the interface server. That is, the user terminal receives authentication response information including an authentication result of performing an authentication method according to the authentication request information in the interface server and the authentication method is selected by the interface server or a user of the user terminal.
  • the received authentication response information is transmitted to the application service providing server at step S609.
  • the interface server is a server providing an interface for a network to the application service providing server.
  • the user terminal uses a HTTP redirect method to transmit the authentication request information to the interface server. Further, the user terminal uses a HTTP redirect method to transmit the authentication response information to the application service providing server.
  • the authentication method may be selected according to a police of a service provider providing a network or by the user of the user terminal.
  • the authentication method may be one of an IP address based authentication method, a certification based authentication method, and a user input based authentication method.
  • the authentication method may include a user terminal ID/
  • the authentication request information may be redirected to an ID/PASSWORD based authentication apparatus using a HTTP redirect method.
  • the authentication response information may include the authentication result and network identification information of the user terminal.
  • the network includes a WiMAX network.
  • the authentication request information may be generated in an application service providing server if the user terminal requests accessing the application service providing server.
  • the user terminal may want access the application service providing server to request a Quality of Service (QoS).
  • QoS Quality of Service
  • FIG. 7 is a diagram illustrating a user terminal in authentication of the user terminal in an interface server in accordance with an embodiment of the present invention.
  • the user terminal 701 includes a receiver 703 for receiving authentication request information for requesting the interface server to authenticate the user terminal 701 from the application service providing server and a transmitter 705 for transmitting the authentication request information to the interface server.
  • the receiver 703 receives authentication response information including an authentication result of performing an authentication method selected by the interface server or the user of the user terminal 701 according to the authentication request information from the interface server. That is, the receiver 703 receives authentication response information including an authentication result of performing an authentication method according to the authentication request information in the interface server and the authentication method is selected by the interface server or a user of the user terminal 701.
  • the transmitter 705 transmits the received authentication response information to the application service providing server.
  • the interface server is a server providing an interface for a network to the application service providing server.
  • the user terminal 701 uses a Hypertext Transfer Protocol (HTTP) redirect method to transmit authentication request information and to transmit authentication response information to the application service providing server.
  • HTTP Hypertext Transfer Protocol
  • the authentication method may be selected according to a police of a service provider providing a network or by the user of the user terminal 701.
  • the authentication method may be one of an IP address based authentication method, a certification based authentication method, or a user information input based authentication method of the user terminal 701.
  • the authentication method further includes a method for mutually exchanging information between an interface server and a user terminal 701.
  • the user terminal 701 further includes an authentication unit 707 for mutually exchanging information.
  • the authentication unit 707 includes an information input unit 709 for receiving ID/PASSWORD information.
  • the authentication method includes an authentication method using information about ID/PASSWORD of the user terminal 701.
  • the receiver 703 receives a request of inputting ID/PASSWORD information from the ID/ PASSWORD input based authentication apparatus.
  • the transmitter 705 transmits the input ID/PASSWORD information to the interface server.
  • the ID/PASSWORD information input based authentication apparatus receives the authentication request information from the interface server based on a Hypertext Transfer Protocol (HTTP) redirection method.
  • HTTP Hypertext Transfer Protocol
  • the authentication response information may include identity information and information about authentication result about a network of a user terminal 701.
  • the network includes a WiMAX network.
  • the authentication request information may be generated by the application service providing server.
  • the user terminal requests accessing the application service providing server in order to request a Quality of Service (QoS) to the application service providing server.
  • QoS Quality of Service
  • FIG. 8 is a diagram illustrating a service flow for authenticating a user terminal in an interface server according to an embodiment of the present invention.
  • a mobile station (MS) 801, an access control router (ACR) 802, a quality manager (QM) 803, an AAA server 804, an USI system 805, and an iASP 806 exchange information to each other to authenticate a user terminal.
  • the MS 801 may be a user terminal, and the USI system 805 denotes an interface server.
  • the iASP 806 denotes an application service providing server.
  • the MS 801 requests accessing a network. Then, the ACR 802 and the AAA server 804 perform authentication of accessing at step S811. The AAA server 804 com- municates with the USI system 805 and performs USI Registration Request/Confirm at step S812. The MS 801 requests a QoS service to the iASP 806 at step S813.
  • the iASP 806 transmits a USI request including authentication request information ⁇ AuthnRequest> to the MS at step S814.
  • the MS 801 transmits the received USI Request to the USI system 805 using a redirect method at step S815.
  • the USI system 805 performs authentication and identification of the MS 801 for the received USI Request at step S816.
  • the authentication method may be one of an IP address based authentication method, a certification based authentication method, or a user input based authentication method. Such authentication methods are preformed between the USI system 805 and the MS 801 without intervention of the IAS 806.
  • the USI system 805 transmits USI Response including authentication result ⁇ Response> to the MS 801 at step S817.
  • the MS 801 transmits the received USI Response to the IASP 806 using the redirect method at step S818.
  • the iASP 806 transmits the USI Request to the USI system 805 to generate a QoS session at step S819.
  • the USI system 805 generates a QoS service right according to a USI Request for generating the QoS session at step S 820 and requests the QM 803 to generate resource at step S 821.
  • the QM 803 orders the ACR 802 to generate resource at step S822 and the ACR 802 generates resource at step S823.
  • the USI system 805 transmits a USI response to the iASP 806 including resource generation response information at step S 825.
  • the iASP 806 provides a QoS service through the generated resource to the MS 801 according to the USI Response including the resource generation response information at step S826.
  • FIG. 9 is a diagram illustrating a system for authenticating a user terminal in an interface server in accordance with an embodiment of the present invention.
  • the system includes a MS 901, a network communication system 920, and an application service providing server 930.
  • the application service providing server 830 may be Google as a 3 rd party ASP.
  • the network communication system 920 includes a USI system 921, a RAS 922, an ACR 923, and an USI authentication server 924.
  • the network communication system 920 further includes LGW, PCFR, E-Payment Server, Device Capability Retrieval Server, DCR Server, Wibro(Wimax) Accounting/ Billing System, Wibro(Wimax) subscription System.
  • the application service providing server 930, the USI system 921, and the USI authentication server 924 mutually exchange data to authenticate an application service providing server 930.
  • the USI authentication server 924 may perform a roll of the AAA server.
  • the MS 910, the USI system 921, and the application service providing server 930 may mutually exchange data to authenticate a user terminal.
  • the MS 910 is connected to the application service providing server 930 using HTTP and exchange data with the application service providing server 930.
  • the USI system 921 authenticates the MS 910 using an authentication method selected by a policy of a service provider or a user of a user terminal without intervention of the application service providing server 930.
  • the authentication method may be one of an IP address based authentication method, a certification based authentication method, and a user input based authentication method.
  • a user of a MS 910 is located at an area A.
  • the user accesses a Google server 930 which is an application service providing server and searches a bank through the Google server.
  • the Google server 930 transmits information about banks around the area A among the search result of banks.
  • the Google server 930 accesses the USI system 921 and requests the system information or the information of the MS 910 from the USI system 921.
  • the Google server requests location information of the MS 910 to the USI system 921.
  • the USI system 921 authenticates the MS 910.
  • the USI system 921 authenticates the MS 910 without intervention of the Google server 930 in order to prevent security attack or fault ID when the MS 910 is authenticated.
  • a method for authenticating a user terminal in an interface server according to the present invention can be embodied as a computer readable recording medium.
  • the computer readable recording medium storing the method includes: receiving authentication request information to request authenticating a user terminal that receives an application service from an application service providing server; authenticating the user terminal according to the authenticating request information using an authentication method selected by the interface server or a user of the user terminal; and transmitting authentication response information including an authentication result of performing the authentication method to the application service providing server, wherein the interface server provides an interface for a network to the application service providing server.
  • a method for authenticating a user terminal in an interface server according to the present invention can be embodied as a computer readable recording medium.
  • the computer readable recording medium storing the method includes: receiving authentication request information from an application service providing server to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server; transmitting the authentication request information to the interface server; receiving authentication response information including an authentication result of performing an authentication method selected by the interface server or a user of the user terminal according to the authentication request information in the interface server; and transmitting the received authentication response information to the application service providing server, wherein the interface server is a server providing an interface for a network to the application service providing server.
  • a method for authenticating a user terminal in an interface server, and an interface server and a user terminal using the same according to the present invention can be applied to a communication system using a network for authentication procedure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Provided are a method for authenticating a user terminal in an interface server, and an interface server and a user terminal using the same. The method includes receiving authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server, authenticating the user terminal according to the authenticating request information using an authentication method selected by the interface server or a user of the user terminal, and transmitting authentication response information including an authentication result of performing the authentication method to the application service providing server. The interface server provides an interface for a network to the application service providing server.

Description

METHOD FOR USER TERMINAL AUTHENTICATION OF INTERFACE SERVER AND INTERFACE SERVER AND USER TERMINAL THEREOF
The present invention relates to a method for authenticating a user terminal; and more particularly, to a method for authenticating a user terminal in an interface server, and an interface server and a user terminal using the same.
Due to the development of a communication system, various types of networks have been realized. An environment including multiple types of networks is referred to as a multi-network environment. In the multi-network environment, a user terminal may access one of networks such as a Wireless Local Area Network (WLAN) network, a Code Division Multiple Access (CDMA) network, and a World Interoperability for Microwave Access (WiMAX) network.
Hereinafter, the WiMAX network will be exemplary described as one of the representative communication networks. The WiMAX network provides a communication service that enables a user to access the Internet at a high speed and to receive data or multimedia contents not only in an indoor place but also at the outside and even during travelling using various types of user terminals such as a personal computer, a notebook computer, a personal digital assistant (PDA), a portable multimedia player (PMP), a handset, and a smart phone. Such a WiMAX service enables a user to use the Internet even in the outdoor place such as streets, parks, and vehicles in travelling unlike a high speed internet service that enables a user to use the Internet only at an indoor place with an internet cable is installed such as home, a school, and an office.
A WiMAX forum has been established by communication service providers, communication equipments manufacturers, and semiconductor manufacturers in order to secure comparability among equipment employing a WiMAX technology. The WiMAX forum uses an Institute of Electrical and Electronics Engineers (IEEE) standard 802.16 of a wide band wireless access technology as a fundamental technology. The WiMAX forum has been trying to advance a related technology from a stationary standard 802.16d to a mobile standard 802.16e.
The WiMAX network is a wireless metropolitan area network (WMAN) technology based on IEEE 802.16 standard. In general, the WiMAX network includes an access service network (ASN) and a connectivity service network (CSN). The access service network (ASN) includes a user terminal such as a mobile station (MS) which is a client, a base station (BS), and an access service network gateway (ASN-GW). The connectivity service network (CSN) includes logical entities such as a policy function (PF) entity, an authentication authorization and accounting (AAA) server, and an application function (AF) entity.
Hereinafter, a logical structure of a WiMAX network will be described.
The mobile station (MS) is referred to as a WiMAX terminal that accesses the ASN through a wireless link. An IEEE 802.16D/E standard WMAN access technology is mainly used at a wireless side of a WiMAX network.
The ASN guarantees establishing connection between a WiMAX terminal and a WiMAX base station (BS). The ASN manages wireless resources, finds a network, selects an optimal a network service provider (NSP) for a WiMAX subscriber, operates as a proxy server for controlling authentication authorization and accounting (AAA) of a WiMAX subscriber in a proxy mobile intern protocol (MIP), and accesses an application through a WiMAX terminal.
The CSN allocates an Internet protocol (IP) address for a session of a WiMAX subscriber, provides access for Internet, operates as an AAA proxy or an AAA server, performs a policy and controls access based on the subscribing data of a subscriber, supports establishing a tunnel between the ASN and the CSN, generates an invoice for a WiMAX subscriber, supports a policy of a WiMAX service through an operator, supports forming a loaming tunnel between CSNs, supports mobility between ASNs, provides a location based service, provides an end-to-end service, and supports various WiMAX services such as multimedia broadcast service and a multimedia broadcast multicast service (MBMS).
Fig. 1 is a diagram illustrating a network system according to the related art.
Referring to Fig. 1, the network system according to the related art includes a user terminal 110, a communication system 120, an Internet network 130, and an application service provider 140.
The user terminal 110 is any devices that can access a network including a communication system. For example, the user terminal 110 may be a notebook computer, a personal computer, a personal digital assistant (PDA), a hand set, or a personal multimedia player (PMP).
The communication system 120 includes a base station 121 or a radio access station (RAS) for controlling connection of a physical communication channel, an Access Service Network Gate Way (ASN-GW) 122 or Base Station Controller/Serving GPRS Supporting Node (BSC/SGSN) for controlling Medium Access Control (MAC) of an access network, Connectivity Service Network (CSN) 123 or Packet Data Service Node/ Gateway GPRS Support Node (PDSN/GGSN) for controlling connection of a network layer. The communication system 120 may further include a location information server (LIS), a device capability server, a user profile server, a quality of service server (QoS), and a billing server.
The application service provider 140 has servers for providing a predetermined service to the user terminal 110. The application service provider 140 may include an Internet Protocol Television (IPTV) server for providing an Internet based television programs to a user terminal 110 accessing the Internet network 130, a contents server for providing music/video contents in real time, a search engine server for providing a result of a search inquiry in response to a request of the user terminal 110, an advertisement server for providing advertisement, and a service server 139 for providing services.
Hereinafter, an operation of a network system according to the related art will be described. For example, the network system according to the related art performs following operations when a user of a user terminal 110 requests a map service from the application service provider 140.
The user of the user terminal 110 is located at an area A. The user terminal 110 requests a map service to an application service provider 140 through a communication system 120 and an internet network 130. The application service provider 140 provides a web page (or a web site) as the map service to the user terminal 110.
The application service provider 140 provides an initial map image of a predetermined area which is initially selected in a map service server regardless of a current location of a user terminal 110. When the user requests a map image of a certain area after sending the initial map image of the predetermined area, the application service provider 140 provides a map image of a corresponding area to a user.
If the application service provider 140 provides a map image of a current location of a user terminal when the user terminal 110 access a server of the application service provider 140 providing the map service, the application service provider can provide a personalized map service to a user. In this way, the user may be provided with a better service. In order to provide such a personalized service, the application service provider 140 needs personal information. Therefore, there has been a demand for a method of receiving personal information such as location information of the user terminal 110 when the application service provider 140 provides a personalized service to the user terminal 110.
When the application service provider 140 requests the personal information such as location information of the user terminal 110 to the communication system 120 after accessing the communication system 120, it is required to establish an interface and to perform mutual authentication among the application service provider 140, the user terminal 110, and the communication system 120.
An embodiment of the present invention is directed to providing an interface for enabling an application service provider to use unique information of a predetermined network by accessing a communication system that manages the predetermined network.
An embodiment of the present invention is directed to providing a method for mutual authentication among an application service provider, a user terminal, and a communication system operating a predetermined network.
Other objects and advantages of the present invention can be understood by the following description, and become apparent with reference to the embodiments of the present invention. Also, it is obvious to those skilled in the art of the present invention that the objects and advantages of the present invention can be realized by the means as claimed and combinations thereof.
In accordance with an aspect of the present invention, there is provided a user terminal authentication method of an interface server, including: receiving authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server; authenticating the user terminal according to the authenticating request information using an authentication method selected by the interface server or a user of the user terminal; and transmitting authentication response information including an authentication result of performing the authentication method to the application service providing server, wherein the interface server provides an interface for a network to the application service providing server.
In accordance with another aspect of the present invention, there is provided an interface server including: a receiver configured to receive authentication request information from an application service providing server in order to request the interface server to authenticate a user terminal that receives an application service provided from the application service providing server; an authentication controller configured to authenticate the user terminal according to the authentication request information using an authentication method selected by the interface server or a user of the user terminal; and a transmitter configured to transmit authentication response information including an authentication result of performing the authentication method to the application service providing server, wherein the interface server provides an interface for a network to the application service providing server.
In accordance with another aspect of the present invention, there is provided a method for authenticating a user terminal in an interface server including: receiving authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server; transmitting the authentication request information to the interface server; receiving authentication response information including an authentication result of performing an authentication method according to the authentication request information in the interface server and the authentication method is selected by the interface server or a user of the user terminal; and transmitting the received authentication response information to the application service providing server, wherein the interface server is a server providing an interface for a network to the application service providing server.
In accordance with another aspect of the present invention, there is provided a user terminal including: a receiver configured to receive authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal that receives an application service provided from the application service providing server; and a transmitter configured to transmit the authentication request information to the interface server, wherein the receiver receives authentication response information including an authentication result of performing an authentication method according to the authentication request information in the interface server and the authentication method is selected by the interface server or a user of the user terminal, wherein the transmitter transmits the received authentication response information to the application service providing server, and wherein the interface server provides an interface for a network to the application service providing server.
In accordance with another aspect of the present invention, there is provided a computer readable recording medium storing a method for authenticating a user terminal in an interface server, the method includes: receiving authentication request information to request authenticating a user terminal that receives an application service from an application service providing server; authenticating the user terminal according to the authenticating request information using an authentication method selected by the interface server or a user of the user terminal; and transmitting authentication response information including an authentication result of performing the authentication method to the application service providing server, wherein the interface server provides an interface for a network to the application service providing server.
In accordance with another aspect of the present invention, there is provided a computer readable recording medium storing a method for authenticating a user terminal in an interface server, the method includes: receiving authentication request information from an application service providing server to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server; transmitting the authentication request information to the interface server; receiving authentication response information including an authentication result of performing an authentication method selected by the interface server or a user of the user terminal according to the authentication request information in the interface server; and transmitting the received authentication response information to the application service providing server, wherein the interface server is a server providing an interface for a network to the application service providing server.
An interface server according to the present invention provides an interface that enables an application service provider to use information of a predetermined network. Further, an authentications method according to the present invention performs mutually authentication among an application service provider, a user terminal, and a communication system managing a predetermined network.
Fig. 1 is a diagram illustrating a network system according to the related art.
Fig. 2 is a diagram illustrating authentication of an application service provider.
Fig. 3 is a diagram illustrating authentication of a user terminal.
Fig. 4 is a diagram illustrating a method of authenticating a user terminal in an interface server in accordance with an embodiment of the present invention.
Fig. 5 is a diagram illustrating an interface server performing authentication of a user terminal in accordance with an embodiment of the present invention.
Fig. 6 is a diagram illustrating an authentication procedure performed in a user terminal in a method for authenticating the user terminal in the interface server.
Fig. 7 is a diagram illustrating a user terminal as related in a method for authenticating the user terminal in the interface server in accordance with an embodiment of the present invention.
Fig. 8 is a diagram illustrating a service flow of a method for authenticating a user terminal in an interface server in accordance with an embodiment of the present invention.
Fig. 9 is a diagram illustrating a system for authenticating a user terminal in an interface server in accordance with an embodiment of the present invention.
Following description exemplifies only the principles of the present invention. Even if they are not described or illustrated clearly in the present specification, one of ordinary skill in the art can embody the principles of the present invention and invent various apparatuses within the concept and scope of the present invention. The use of the conditional terms and embodiments presented in the present specification are intended only to make the concept of the present invention understood, and they are not limited to the embodiments and conditions mentioned in the specification.
Also, all the detailed description on the principles, viewpoints and embodiments and particular embodiments of the present invention should be understood to include structural and functional equivalents to them. The equivalents include not only currently known equivalents but also those to be developed in future, that is, all devices invented to perform the same function, regardless of their structures.
For example, block diagrams of the present invention should be understood to show a conceptual viewpoint of an exemplary circuit that embodies the principles of the present invention. Similarly, all the flowcharts, state conversion diagrams, pseudo codes and the like can be expressed substantially in a computer-readable media, and whether or not a computer or a processor is described distinctively, they should be understood to express various processes operated by a computer or a processor.
Functions of various devices illustrated in the drawings including a functional block expressed as a processor or a similar concept can be provided not only by using hardware dedicated to the functions, but also by using hardware capable of running proper software for the functions. When a function is provided by a processor, the function may be provided by a single dedicated processor, single shared processor, or a plurality of individual processors, part of which can be shared.
The apparent use of a term, 'processor', 'control' or similar concept, should not be understood to exclusively refer to a piece of hardware capable of running software, but should be understood to include a digital signal processor (DSP), hardware, and ROM, RAM and non-volatile memory for storing software, implicatively. Other known and commonly used hardware may be included therein, too.
In the claims of the present specification, an element expressed as a means for performing a function described in the detailed description is intended to include all methods for performing the function including all formats of software, such as combinations of circuits for performing the intended function, firmware/microcode and the like.
To perform the intended function, the element is cooperated with a proper circuit for performing the software. The present invention defined by claims includes diverse means for performing particular functions, and the means are connected with each other in a method requested in the claims. Therefore, any means that can provide the function should be understood to be an equivalent to what is figured out from the present specification.
The present invention relates to an interface that enables an application service provider to transmit and receive information by accessing a predetermined network using a communication system managing the predetermined network and a method for mutual authentication among an application service provider, a user terminal, and a communication system managing a predetermined network.
In the present invention, an interface server is included in a communication system managing a predetermined network. The interface server provides an interface for smooth data exchange between an application service provider and a predetermined network. The interface server must protect a network service provider (NSP) from security attack. Therefore, it is necessary to authenticate the network service provider (NSP) and the application service provider. The interface server ensures security and integrity of personal information and non-repudiation for exchanged message.
Hereinafter, a method for authenticating a user terminal in an interface server, an interface server, and a user terminal according to embodiments of the present invention will be described with reference to the accompanying drawings.
Fig. 2 is a diagram illustrating authentication of an application service provider.
Referring to Fig. 2, an authentication server 210, an interface server 220, and an application service providing server 230 exchange data with each other in order to perform mutual authentication.
The authentication server 210 performs various types of authentication. For example, the authentication server 210 may be an authentication, authorization, and accounting (AAA) server. In Fig. 2, the authentication server 210 is described as performing authentication of the application service providing server 230.
The interface server 220 provides an interface environment for enabling the application service providing server 230 to access a network and to exchange data through the network. The interface server 220 may provide information about capability of the network and information about a user terminal to the application service providing server 230.
The application service providing server 230 provides a predetermined service to the user terminal. For example, the predetermined service may include an internet based service. The application service providing server 230 is realized by an application service provider (ASP). The application service providing server 230 may provide various contents and advertisements.
The application service provider (ASP) includes an Internet application service provider (iASP). The Internet application service provider may provide contents or application programs collected by Public Internet such as Yahoo, Google, or E-bay. The Internet application service provider may have additional relation with a content provider (CP) or an Internet advertiser (IA).
The application service provider is authenticated by a network service provider. In order to authenticate the network service provider, the application service providing server 230 transmits authentication request information to the interface server 220 at step S241. The authentication request information may include an authorization token. The network service provider uses the authorization token to determine which application service provider has a right of authentication request. The authorization token includes a certification with signature of an application service provider.
The interface server 220 authenticates the application service providing server 230 with the authentication server 210 using the authentication request information received from the application service providing server 230 at step S242. The authorization token may be used to perform such an authentication process.
The interface server 220 transmits authentication response information including authentication result to the application service providing server 230 at step S243.
Fig. 3 is a diagram illustrating authentication of a user terminal.
Referring to Fig. 3, an interface server 310, a user terminal 320, and an application service providing server 330 exchange data to each other for authenticating a user terminal.
The interface server 310 provides an interface environment that enables the application service providing server 330 to access a network and to exchange data through the network. The interface server 310 may provide information about network capability and a user terminal to the application service providing server 330.
The user terminal 320 may be any device capable of accessing a network. The user terminal 320 may be a personal computer, a notebook computer, a personal digital assistant (PDA), a portable multimedia player (PMP), a handset, and a smart phone.
The application service providing server 330 provides a predetermined service including an Internet based service. The application service providing server 330 is a server embodied by an application service provider. The application service providing server 230 may provide various contents and advertisements. The application service provider (ASP) includes an Internet application service provider (iASP). The Internet application service provider may provide contents or application programs collected by Public Internet such as Yahoo, Google, or E-bay. The Interne application service provider may have additional relation with a content provider (CP) or an Internet advertiser (IA).
The application service providing server 330 transmits authentication request information to the interface server 310. The authentication request information may pass through the user terminal 320 to the interface server 310. That is, the application service providing server 330 transmits the authentication request information to the user terminal 320 at step S341 and the user terminal 320 transmits the received authentication information to the interface server 310. The user terminal 320 may use a hypertext transfer protocol (HTTP) redirect method to transmit the received authentication request information to the interface server 310.
The authentication information includes information for requesting authentication of the user terminal 320 that receives an application service of the application service providing server 330 to the interface server 310. The application service indicates a service provided by the application service providing server 330. However, the application service is not limited to an application program. The authentication request information includes authentication request information for detecting identity of a user terminal from an application service providing server.
The authentication request information may include information about a desired authentication method of the application service providing server 330. However, an authentication method of the interface server 310 is not limited thereto. Although the authentication request information includes information about the desired authentication method of the application service providing server 330, it may be ignored.
The interface server 310 performs authentication of the user terminal 320 using a predetermined authentication method based on the received authentication request information at step S343. The predetermined authentication method includes an authentication method selected by the interface server 310 or an authentication method selected by the user of the user terminal 320. The authentication method selected by the interface server 310 may be decided based on a policy of a network service provider (NSP) who provides a network. The authentication method set by the user of the user terminal 320 may be selected based on subscription of the user.
The authentication method may be an IP address based authentication method, a certification based authentication method, or a user input based authentication method. Hereinafter, those authentication methods will be described in detail.
At first, the IP address based authentication method controls the interface server 310 to refer an IP address of the user terminal 320 to authenticate the user terminal 320. In this case, an additional authentication server such as an AAA server may be used. The IP address based authentication method is very convenience. However, the IP address based authentication method has a shortcoming of weak security.
The certification based authentication method uses a certification of a user terminal side to authenticate the user terminal. The certification based authentication method has an advantage of high security. However, it is not convenient to use and it is also difficult to embody. The certification may include a certification for a network of a user terminal side.
The user input based authentication method authenticates a user terminal based on information input from a user of the user terminal. The user input information may include an ID of a user or a user terminal and a corresponding password. As an ID for corresponding authentication, one of a permanent ID and a temporary ID is decided according to a policy of a network service provider (NSP). In the user input based authentication method, the authentication request information received from the application service providing server 330 is redirected to an ID/PASSWORD input based authentication apparatus using a Hypertext Transfer Protocol (HTTP) redirect method for ID/PASSWORD input based authentication. Here, the ID/PASSWORD input based apparatus may include a web portal supporting ID/PASSWORD authentication.
After performing the authentication based on the authentication request information, the interface server 310 transmits authentication response information including the authentication result to the application service providing server 330. The authentication response information is transmitted to the application service providing server 330 passing through the user terminal 320. That is, the interface server 310 transmit the authentication response information to the user terminal 320 at step S344 and the user terminal 320 transmits the received authentication response information to the application service providing server 330 at step S345. The user terminal 320 may use a Hypertext transfer protocol (HTTP) redirect method for transmitting the received authentication response information to the service providing server 330.
If the user terminal is successfully authenticated, the authentication response information may include identity information and information about authentication result about a network of a user terminal. If not, the authentication response information may include information about authentication failure.
Hereinafter, information included in the authentication request information will be described based on a SAML message. The SAML stands for a security assertions markup language. The SAML is a standard for an extensible markup language for exchanging business security information on Internet. The SAML is a common language for security service mutual operation between different systems and describing XML information. Lately, security information has been required for various businesses on Internet because Internet business has been expanded such as B2C and B2B and a business starting site becomes different from a business ending site. Accordingly, the SAML is an language providing a single sign-on (SSO) function that enables an open solution having interoperability and comparability with various protocols and easy resource access.
For example, syntax <AuthnRequest> is used as authentication request in the SAML. The authentication request information may include an ASP identifier of an application service providing server, network ID information of a user terminal (User/MS USI ID to authenticate), a permanent ID and a temporary ID indication information (L-ID/S-ID request indication), internal application service provider signature (Signature of iASP). Table 1 shows the information included in the authentication request information in detail.
Table 1
Parameter SAML element
ASP identifier <Issuer>
User/MS USI ID to authenticate <Subject>
L-ID/S-ID request indication <NameIDPolicy>
Signature of iASP <ds:Signature>
Whether authentication can be done based on previous authentication, such as the network entry + IP address ForceAuthn
Table 2 shows a permanent ID and a temporary ID in detail.
Table 2
Value Meaning
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent The USI identity is L-ID
urn:oasis:names:tc:SAML:2.0:nameid-format:transient The USI identity is S-ID
Meanwhile, the authentication request information may include information by syntax <AuthzDecisionStatement>. Table 3 shows information of the syntax <AuthzDecisionStatement>.
Table 3
Parameter SAML element
Identity of authorizing iASP <Issuer>
Reference to request <Resource>
Signature of iASP <ds:Signature>
The authentication response information may include information by syntax <AuthnStatement>. Table 4 shows information of the syntax <AuthnStatement> in detail.
Table 4
Parameter SAML element Comments
Identity of USI System <Issuer>
The USI user's ID <Subject> Also contains indication of L-ID/S-ID. (Name Identifier Format Identifiers)
Authentication method used <AuthnContext> URI values specify the authentication contexts. (e.g. URI specifying EAP-TTLS authentication)Values for <AuthnContext> in <AuthnStatement>
Signature of USI System <ds:Signature>
The authentication response information may include information by syntax <AuthzDecisionStatement>. Table 5 shows the information of the syntax <AuthzDecisionStatement> in detail.
Table 5
Parameter SAML element
Identity of authorizing USI System <Issuer>
Reference to request <Resource> Specified if a specific request is authorized
Identity of target USI System(s) <Conditions> Specified if this is authorization for particular USI System(s)
The target USI user(s) or MS(s) ID(s) <Conditions> Specified if this is a generic authorization for anyone to submit certain USI requests for these targets
ASP identity/authorization for the USI request <Subject>
Signature of USI System <ds:Signature>
In Table 1 to Table 5, USI denotes a universal service interface. A USI system server may be an interface server.
As described above, the interface server authenticates the user terminal without interacting with the application service provider. Therefore, it is possible to overcome problems caused because the application service provide does not recognize available authentication methods between the user terminal and the interface server.
Conventionally, an interface server uses an authentication method decided by an application service provider. In this case, an interface server system or a user terminal may be not capable of using such an authentication method. It causes unnecessary new authentication procedure or limiting a user to use a service due to authentication failure. Therefore, it is not effective method of using an authentication method decided by the application service provider.
Therefore, the authentication method according to the present embodiment enables an interface server to select an authentication method without intervention of an application service provider or enables a user to select an authentication method. Accordingly, although the interface server system cannot accept an authentication method selected by the application service provider, authentication is not failed. Here, when a user selects an authentication method, information about a user selected authentication method may be shared with the interface server system.
Since the authentication method according to the present embodiment includes a method of authentication based a user ID and password, the authentication method according to the present embodiment is convenient to a user and can be simply embodied while securing proper security.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
<A first exemplary method of authentication of a user terminal in an interface server>
Fig. 4 is a diagram illustrating a method for authentication of a user terminal in an interface server in accordance with an embodiment of the present invention.
Referring to Fig. 4, at step S401, authentication request information is received from an application service providing server in order to request the interface server to authenticate a user terminal that receives an application service from the application service providing server. At step S403, an authentication method to authenticate the user terminal is selected according to the received authentication request information. At step S405, an authentication method is selected by the interface server or by a user of the user terminal and the user terminal is authenticated using the selected authentication method. The authentication method may be selected by logical algorithm. At step S405, authentication response information including authentication result is transmitted to the application service providing server.
Here, the interface server is a server providing an interface of a network to the application service providing server.
The authentication request information and the authentication response information may be received or transmitted through the user terminal. In order to transmit the authentication request information and the authentication response information passing through the user terminal, a hypertext transfer protocol (HTTP) redirect method may be used.
The authentication method may be selected by a police of a service provider providing a network or by the selection of a user of the user terminal.
The authentication method may be one of an IP address based authentication method, a certification based authentication method, and a user input based authentication method.
In more detail, the authentication method may include a user terminal ID/PASSWORD input based authentication method. In this case, authentication request information may be redirected to an ID/PASSWORD information input based authentication apparatus using a HTTP redirect method.
If the user terminal is successfully authenticated, the authentication response information may include the authentication result and network identification information of the user terminal.
Here, the network includes a WiMAX network.
The authentication request information may be generated in an application service providing server if the user terminal requests accessing the application service providing server. Here, the user terminal may want access the application service providing server to request a Quality of Service (QoS).
<Interface server>
Fig. 5 is a diagram illustrating an interface server performing authentication of a user terminal in accordance with an embodiment of the present invention.
Referring to Fig. 5, the interface server 501 includes a receiver 503, an authentication controller 507, and a transmitter 505. The receiver 503 receives authentication request information from the application service providing server to request authenticating a user terminal receiving an application service provided from the application service providing server. The authentication controller 507 authenticates the user terminal according to the received authentication request information using an authentication method set by the interface server 501 or the user of the user terminal. The transmitter 505 transmits authentication response information including an authentication result to the application service providing server. The interface server 501 is a server providing an interface to the application service providing server for a network.
The authentication request information and the authentication response information may be received or transmitted through the user terminal. In order to transmit the authentication request information and the authentication response information passing through the user terminal, a hypertext transfer protocol (HTTP) redirect method may be used.
The authentication method may be selected according to a police of a service provider providing a network or by the user of the user terminal.
The authentication method may be one of an IP address based authentication method, a certification based authentication method, and a user input based authentication method.
In more detail, the authentication method may include a user terminal ID/PASSWORD based authentication method. In this case, the authentication request information may be redirected to an ID/PASSWORD based authentication apparatus using a HTTP redirect method.
If the user terminal is successfully authenticated, the authentication response information may include the authentication result and network identification information of the user terminal.
Here, the network includes a WiMAX network.
The authentication request information may be generated in an application service providing server if the user terminal requests accessing the application service providing server. Here, the user terminal may want access the application service providing server to request a Quality of Service (QoS).
<A second exemplary method for authentication of a user terminal in an interface server>
Fig. 6 is a diagram illustrating an authentication process performed in a user terminal in a method for authentication of a user terminal in an interface server according to an embodiment of the present invention.
Referring to Fig. 6, at step S601, a user terminal receives authentication request information from an application service providing server in order to request the interface seerver to authenticate the user terminal that receives an application service provided from the application service providing server. The user terminal transmits the received authentication request information to the interface server at step S603. The interface server performs an authentication process at step S605. At step S607, the user terminal receives authentication response information which includes an authentication result of performing an authentication method selected by the interface server or the user of the user terminal according to the authentication request information in the interface server. That is, the user terminal receives authentication response information including an authentication result of performing an authentication method according to the authentication request information in the interface server and the authentication method is selected by the interface server or a user of the user terminal. The received authentication response information is transmitted to the application service providing server at step S609. The interface server is a server providing an interface for a network to the application service providing server.
The user terminal uses a HTTP redirect method to transmit the authentication request information to the interface server. Further, the user terminal uses a HTTP redirect method to transmit the authentication response information to the application service providing server.
The authentication method may be selected according to a police of a service provider providing a network or by the user of the user terminal.
The authentication method may be one of an IP address based authentication method, a certification based authentication method, and a user input based authentication method.
In more detail, the authentication method may include a user terminal ID/PASSWORD based authentication method. In this case, the authentication request information may be redirected to an ID/PASSWORD based authentication apparatus using a HTTP redirect method.
If the user terminal is successfully authenticated, the authentication response information may include the authentication result and network identification information of the user terminal.
Here, the network includes a WiMAX network.
The authentication request information may be generated in an application service providing server if the user terminal requests accessing the application service providing server. Here, the user terminal may want access the application service providing server to request a Quality of Service (QoS).
<User terminal>
Fig. 7 is a diagram illustrating a user terminal in authentication of the user terminal in an interface server in accordance with an embodiment of the present invention.
Referring to Fig. 7, the user terminal 701 includes a receiver 703 for receiving authentication request information for requesting the interface server to authenticate the user terminal 701 from the application service providing server and a transmitter 705 for transmitting the authentication request information to the interface server. The receiver 703 receives authentication response information including an authentication result of performing an authentication method selected by the interface server or the user of the user terminal 701 according to the authentication request information from the interface server. That is, the receiver 703 receives authentication response information including an authentication result of performing an authentication method according to the authentication request information in the interface server and the authentication method is selected by the interface server or a user of the user terminal 701.
The transmitter 705 transmits the received authentication response information to the application service providing server. The interface server is a server providing an interface for a network to the application service providing server.
The user terminal 701 uses a Hypertext Transfer Protocol (HTTP) redirect method to transmit authentication request information and to transmit authentication response information to the application service providing server.
The authentication method may be selected according to a police of a service provider providing a network or by the user of the user terminal 701.
The authentication method may be one of an IP address based authentication method, a certification based authentication method, or a user information input based authentication method of the user terminal 701.
The authentication method further includes a method for mutually exchanging information between an interface server and a user terminal 701. In this case, the user terminal 701 further includes an authentication unit 707 for mutually exchanging information. The authentication unit 707 includes an information input unit 709 for receiving ID/PASSWORD information. The authentication method includes an authentication method using information about ID/PASSWORD of the user terminal 701. The receiver 703 receives a request of inputting ID/PASSWORD information from the ID/PASSWORD input based authentication apparatus. The transmitter 705 transmits the input ID/PASSWORD information to the interface server. The ID/PASSWORD information input based authentication apparatus receives the authentication request information from the interface server based on a Hypertext Transfer Protocol (HTTP) redirection method.
If the user terminal 701 is successfully authenticated according to the authentication method, the authentication response information may include identity information and information about authentication result about a network of a user terminal 701.
The network includes a WiMAX network.
When the user terminal 701 requests accessing the application service providing server, the authentication request information may be generated by the application service providing server. Here, the user terminal requests accessing the application service providing server in order to request a Quality of Service (QoS) to the application service providing server.
<Embodiment of the present invention>
Fig. 8 is a diagram illustrating a service flow for authenticating a user terminal in an interface server according to an embodiment of the present invention.
Referring to Fig. 8, a mobile station (MS) 801, an access control router (ACR) 802, a quality manager (QM) 803, an AAA server 804, an USI system 805, and an iASP 806 exchange information to each other to authenticate a user terminal. The MS 801 may be a user terminal, and the USI system 805 denotes an interface server. The iASP 806 denotes an application service providing server.
The MS 801 requests accessing a network. Then, the ACR 802 and the AAA server 804 perform authentication of accessing at step S811. The AAA server 804 communicates with the USI system 805 and performs USI Registration Request/Confirm at step S812. The MS 801 requests a QoS service to the iASP 806 at step S813.
The iASP 806 transmits a USI request including authentication request information <AuthnRequest> to the MS at step S814. The MS 801 transmits the received USI Request to the USI system 805 using a redirect method at step S815. The USI system 805 performs authentication and identification of the MS 801 for the received USI Request at step S816. The authentication method may be one of an IP address based authentication method, a certification based authentication method, or a user input based authentication method. Such authentication methods are preformed between the USI system 805 and the MS 801 without intervention of the IAS 806. After authentication, the USI system 805 transmits USI Response including authentication result <Response> to the MS 801 at step S817. The MS 801 transmits the received USI Response to the IASP 806 using the redirect method at step S818.
The iASP 806 transmits the USI Request to the USI system 805 to generate a QoS session at step S819. The USI system 805 generates a QoS service right according to a USI Request for generating the QoS session at step S820 and requests the QM 803 to generate resource at step S821. The QM 803 orders the ACR 802 to generate resource at step S822 and the ACR 802 generates resource at step S823. The ACR 802, the QM 803, the AAA 804, and the USI system 805 response for the resource generation at step S824. The USI system 805 transmits a USI response to the iASP 806 including resource generation response information at step S825. The iASP 806 provides a QoS service through the generated resource to the MS 801 according to the USI Response including the resource generation response information at step S826.
Fig. 9 is a diagram illustrating a system for authenticating a user terminal in an interface server in accordance with an embodiment of the present invention.
Referring to Fig. 9, the system includes a MS 901, a network communication system 920, and an application service providing server 930. The application service providing server 830 may be Google as a 3rd party ASP.
The network communication system 920 includes a USI system 921, a RAS 922, an ACR 923, and an USI authentication server 924. The network communication system 920 further includes LGW, PCFR, E-Payment Server, Device Capability Retrieval Server, DCR Server, Wibro(Wimax) Accounting/ Billing System, Wibro(Wimax) subscription System.
In order to perform the authentication of a user terminal described in Fig. 2, the application service providing server 930, the USI system 921, and the USI authentication server 924 mutually exchange data to authenticate an application service providing server 930. The USI authentication server 924 may perform a roll of the AAA server.
In order to perform the authentication of a user terminal described in Fig. 3, the MS 910, the USI system 921, and the application service providing server 930 may mutually exchange data to authenticate a user terminal. The MS 910 is connected to the application service providing server 930 using HTTP and exchange data with the application service providing server 930. The USI system 921 authenticates the MS 910 using an authentication method selected by a policy of a service provider or a user of a user terminal without intervention of the application service providing server 930. The authentication method may be one of an IP address based authentication method, a certification based authentication method, and a user input based authentication method.
For example, a user of a MS 910 is located at an area A. The user accesses a Google server 930 which is an application service providing server and searches a bank through the Google server. The Google server 930 transmits information about banks around the area A among the search result of banks. Here, the Google server 930 accesses the USI system 921 and requests the system information or the information of the MS 910 from the USI system 921. Here, the Google server requests location information of the MS 910 to the USI system 921. For this, the USI system 921 authenticates the MS 910. The USI system 921 authenticates the MS 910 without intervention of the Google server 930 in order to prevent security attack or fault ID when the MS 910 is authenticated.
The method of the present invention described above can be realized as a program and stored in a computer-readable recording medium such as CD-ROM, RAM, ROM, floppy disks, hard disks, magneto-optical disks and the like. Since the process can be easily implemented by those skilled in the art to which the present invention pertains, further description will not be provided herein.
For example, a method for authenticating a user terminal in an interface server according to the present invention can be embodied as a computer readable recording medium. The computer readable recording medium storing the method includes: receiving authentication request information to request authenticating a user terminal that receives an application service from an application service providing server; authenticating the user terminal according to the authenticating request information using an authentication method selected by the interface server or a user of the user terminal; and transmitting authentication response information including an authentication result of performing the authentication method to the application service providing server, wherein the interface server provides an interface for a network to the application service providing server. Further, a method for authenticating a user terminal in an interface server according to the present invention can be embodied as a computer readable recording medium. The computer readable recording medium storing the method includes: receiving authentication request information from an application service providing server to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server; transmitting the authentication request information to the interface server; receiving authentication response information including an authentication result of performing an authentication method selected by the interface server or a user of the user terminal according to the authentication request information in the interface server; and transmitting the received authentication response information to the application service providing server, wherein the interface server is a server providing an interface for a network to the application service providing server.
While the present invention has been described with respect to the specific embodiments, it will be apparent to those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the following claims.
A method for authenticating a user terminal in an interface server, and an interface server and a user terminal using the same according to the present invention can be applied to a communication system using a network for authentication procedure.

Claims (20)

  1. A method for authenticating a user terminal in an interface server, comprising:
    receiving authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server;
    authenticating the user terminal according to the authenticating request information using an authentication method selected by the interface server or a user of the user terminal; and
    transmitting authentication response information including an authentication result of performing the authentication method to the application service providing server,
    wherein the interface server provides an interface for a network to the application service providing server.
  2. The method of claim 1, wherein the authentication request information is received by passing through the user terminal, and the authentication response information is transmitted by passing through the user terminal.
  3. The method of claim 2, wherein a hypertext transfer protocol (HTTP) redirect method is used to transmit and to receive the authentication request information by passing through the user terminal.
  4. The method of claim 1, wherein the authentication method is selected by a policy of a service provider providing the network or the selection of a user of the user terminal.
  5. The method of claim 1, wherein the authentication method includes one of an IP address based authentication method that authenticates the user terminal based on an IP address, a certification based authentication method that authenticates the user terminal based on a certification, or a user input based authentication method that authenticates the user terminal based on information input from a user of the user terminal.
  6. The method of claim 1, wherein the authentication method includes an ID and password input based authentication method that authenticates the user terminal based on ID/PASSWORD input of the user terminal, and the authentication request information is redirected to an apparatus for authenticating the user terminal based on the ID/PASSWORD input using a hypertext transfer protocol (HTTP) redirect method.
  7. The method of claim 1, wherein when the user terminal is successfully authenticated, the authentication response information includes identity information and information about authentication result about a network of a user terminal.
  8. The method of claim 1, wherein the network is a World Interoperability for Microwave Access (WiMAX) network.
  9. The method of claim 1, wherein the authentication request information is generated in the application service providing server when the user terminal requests accessing to the application service providing server.
  10. An interface server, comprising:
    a receiver configured to receive authentication request information from an application service providing server in order to request the interface server to authenticate a user terminal that receives an application service provided from the application service providing server;
    an authentication controller configured to authenticate the user terminal according to the authentication request information using an authentication method selected by the interface server or a user of the user terminal; and
    a transmitter configured to transmit authentication response information including an authentication result of performing the authentication method to the application service providing server,
    wherein the interface server provides an interface for a network to the application service providing server.
  11. A method for authenticating a user terminal in an interface server, comprising:
    receiving authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server;
    transmitting the authentication request information to the interface server;
    receiving authentication response information including an authentication result of performing an authentication method according to the authentication request information in the interface server and the authentication method is selected by the interface server or a user of the user terminal; and
    transmitting the received authentication response information to the application service providing server,
    wherein the interface server is a server providing an interface for a network to the application service providing server.
  12. The method of claim 11, wherein the authentication request information is transmitted to the interface server using a hypertext transfer protocol (HTTP) redirect method and the authentication response information is transmitted to the application service providing server using the HTTP redirect method.
  13. The method of claim 11, wherein the authentication method is selected by a policy of a service provider providing the network or the selection of a user of the user terminal.
  14. The method of claim 11, wherein the authentication method is one of an IP address based authentication method that authenticates the user terminal based on an IP address, a certificate based authentication method that authenticates the user terminal based on a certificate, or a user input based authentication method that authenticates the user terminal based on user information input of the user terminal.
  15. The method of claim 11, wherein the authentication method authenticates the user terminal by mutually exchanging information between the interface server and the user terminal.
  16. The method of claim 15, wherein the authentication method includes an ID and password input based authentication method that authenticates the user terminal based on an ID and a password of the user terminal,
    wherein in order to authenticate the user terminal based on the ID and the password, the method further comprising:
    receiving a request of inputting ID and password information from an apparatus for authenticating a user terminal based on ID and password information;
    receiving ID and password information; and
    transmitting the received ID and password information to the interface server, and
    wherein the apparatus receives the authentication request information from the interface server using a hypertext transfer protocol (HTTP) redirect method.
  17. The method of claim 11, wherein when the user terminal is successfully authenticated according to the authentication method, the authentication response information includes identity information and information about authentication result about a network of a user terminal.
  18. The method of claim 11, wherein the network is a WiMAX network.
  19. The method of claim 11, wherein the authentication request information is generated by the application service providing server when the user terminal requests accessing to the application service providing server.
  20. A user terminal, comprising:
    a receiver configured to receive authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal that receives an application service provided from the application service providing server; and
    a transmitter configured to transmit the authentication request information to the interface server,
    wherein the receiver receives authentication response information including an authentication result of performing an authentication method according to the authentication request information in the interface server and the authentication method is selected by the interface server or a user of the user terminal,
    wherein the transmitter transmits the received authentication response information to the application service providing server, and
    wherein the interface server provides an interface for a network to the application service providing server.
PCT/KR2009/007086 2009-02-27 2009-11-30 Method for user terminal authentication of interface server and interface server and user terminal thereof WO2010098534A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CA2753846A CA2753846C (en) 2009-02-27 2009-11-30 Method for user terminal authentication of interface server and interface server and user terminal thereof
US13/203,664 US8601560B2 (en) 2009-02-27 2009-11-30 Method for user terminal authentication of interface server and interface server and user terminal thereof
RU2011139308/08A RU2491771C2 (en) 2009-02-27 2009-11-30 Method for user terminal authentication of interface server and interface server and user terminal therefor

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
KR20090017026 2009-02-27
KR10-2009-0017026 2009-02-27
KR20090025464 2009-03-25
KR10-2009-0025464 2009-03-25
KR1020090058167A KR101094577B1 (en) 2009-02-27 2009-06-29 Method for User Terminal Authentication of Interface Server and Interface Server and User Terminal thereof
KR10-2009-0058167 2009-06-29

Publications (2)

Publication Number Publication Date
WO2010098534A1 true WO2010098534A1 (en) 2010-09-02
WO2010098534A4 WO2010098534A4 (en) 2010-10-28

Family

ID=42665720

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2009/007086 WO2010098534A1 (en) 2009-02-27 2009-11-30 Method for user terminal authentication of interface server and interface server and user terminal thereof

Country Status (1)

Country Link
WO (1) WO2010098534A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102427583A (en) * 2011-12-06 2012-04-25 华为技术有限公司 Wireless local area network (WLAN) access authentication method and device
KR20120087728A (en) * 2011-01-28 2012-08-07 삼성전자주식회사 Method and apparatus for providing qos-based service in wireless communication system
CN103905400B (en) * 2012-12-27 2017-06-23 中国移动通信集团公司 A kind of service authentication method, apparatus and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11187016A (en) * 1997-12-24 1999-07-09 Toyo Commun Equip Co Ltd Network authenticating system
KR20070009490A (en) * 2005-07-14 2007-01-18 정태우 System and method for authenticating a user based on the internet protocol address
KR20080085872A (en) * 2005-12-16 2008-09-24 노키아 코포레이션 Support for integrated wlan hotspot clients

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11187016A (en) * 1997-12-24 1999-07-09 Toyo Commun Equip Co Ltd Network authenticating system
KR20070009490A (en) * 2005-07-14 2007-01-18 정태우 System and method for authenticating a user based on the internet protocol address
KR20080085872A (en) * 2005-12-16 2008-09-24 노키아 코포레이션 Support for integrated wlan hotspot clients

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120087728A (en) * 2011-01-28 2012-08-07 삼성전자주식회사 Method and apparatus for providing qos-based service in wireless communication system
WO2012102590A3 (en) * 2011-01-28 2012-11-22 Samsung Electronics Co., Ltd. Method and apparatus for providing qos-based service in wireless communication system
CN103477683A (en) * 2011-01-28 2013-12-25 三星电子株式会社 Method and apparatus for providing QoS-based service in wireless communication system
US8913987B2 (en) 2011-01-28 2014-12-16 Samsung Electronics Co., Ltd. Method and apparatus for providing QoS-based service in wireless communication system
KR101673622B1 (en) 2011-01-28 2016-11-08 삼성전자주식회사 Method and apparatus for providing qos-based service in wireless communication system
CN102427583A (en) * 2011-12-06 2012-04-25 华为技术有限公司 Wireless local area network (WLAN) access authentication method and device
CN103905400B (en) * 2012-12-27 2017-06-23 中国移动通信集团公司 A kind of service authentication method, apparatus and system

Also Published As

Publication number Publication date
WO2010098534A4 (en) 2010-10-28

Similar Documents

Publication Publication Date Title
WO2020226454A1 (en) Apparatus and method for providing mobile edge computing services in wireless communication system
WO2021167417A1 (en) Methods and systems for authenticating devices using 3gpp network access credentials for providing mec services
CA2753846C (en) Method for user terminal authentication of interface server and interface server and user terminal thereof
WO2020204474A1 (en) Device and method for providing edge computing service in wireless communication system
WO2021045573A1 (en) Apparatus and method for providing subscription data to non-subscriber registered terminal in wireless communication system
WO2018128499A1 (en) Method and apparatus for selecting an access and mobility management function in a mobile communication system
KR100816561B1 (en) Method for mobile multicast key management using foreign key
WO2017052136A1 (en) Method and device for downloading profile in mobile communication system
WO2011014043A2 (en) Method and apparatus for creating security context and managing communication in mobile communication network
WO2016085292A1 (en) Method and apparatus for providing sponsoring service between user equipments
WO2011055993A2 (en) Apparatus and method for refreshing master session key in wireless communication system
WO2022005170A1 (en) Method and device for interworking between mobile communication network and edge computing system for providing edge computing service
EP2954712A1 (en) Method and user equipment for implementing device to device communications between ues
WO2019031912A1 (en) Manual roaming and data usage rights
WO2016167553A1 (en) Method for performing multiple authentications within service registration procedure
WO2012020958A2 (en) Method and apparatus for providing services at terminal of mobile communication system
JP2003218954A (en) Secure network access method
WO2014171727A1 (en) Apparatus and method for generating key hierarchy in wireless network
WO2010098534A4 (en) Method for user terminal authentication of interface server and interface server and user terminal thereof
WO2022075815A1 (en) Methods and systems for authentication and establishment of secure connection for edge computing services
WO2020222537A1 (en) Server for controlling dedicated network access of secondary terminal accessing dedicated network through primary terminal, and primary terminal
WO2017003255A1 (en) Network selection method and base station
WO2015053602A1 (en) Method and system for supporting security and information for proximity based service in mobile communication system environment
KR101044125B1 (en) Method for User Terminal Authentication of Interface Server and Interface Server and User Terminal thereof
WO2015196350A1 (en) Wireless network access method, system and terminal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09840880

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2753846

Country of ref document: CA

Ref document number: 13203664

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2011139308

Country of ref document: RU

122 Ep: pct application non-entry in european phase

Ref document number: 09840880

Country of ref document: EP

Kind code of ref document: A1